VPN on iPhone insecure
Researcher Michael Horowitz has tested several virtual private network services on iOS. At first glance they seem to work well and get you a different IP address and new DNS servers, with the data being sent through the VPN server. But gradually, data appears to be leaking. It's been around for a while and Horowitz has determined that it's still unsafe in iOS 15.6 too.
If you connect to a VPN, the operating system will close all existing internet connections and create a new connection through the VPN tunnel. However, that doesn't happen. Existing connections will remain and will not be terminated. They can still send data outside the VPN tunnel, which means that unencrypted data can end up with your provider, for example. Horowitz emphasizes that it is not a DNS leak, but a data leak and it occurs in several apps. His claims are supported by a March 2020 report from privacy firm Proton, which found a vulnerability as early as iOS 13.3.1.
Apple then promised to add a Kill Switch feature in a future software update, but apparently failed to do so, because it still happens. He tested it, for example, with OpenVPN and the WireGuard protocol, where the iPad continues to send data outside the secure tunnel, for example to Apple servers and to Amazon Web Services. With Apple's push notifications, the unsecured connection can remain open for minutes to hours.
What does it mean for you?
If you use a VPN and want to be sure that your data is safe and goes through the secure tunnel, you can easily force this. After turning on the VPN, turn airplane mode on and off again. The network traffic is then rebuilt and this is done via the VPN tunnel.
However, this is not completely 100% secure either. Both Proton and Horowitz have doubts about whether this is completely sufficient. You could possibly reboot your device and immediately turn on the VPN. Horowitz recommends connecting to a secure router with built-in VPN. However, this is of no use if you are out and about, in places where you need a VPN the most.
A VPN provider can unfortunately not offer a workaround, because iOS does not allow a VPN app first disconnects all existing network connections. With its own ‘VPN-like service’ Apple does have control over iCloud Private Relay.